Securing Apigee Edge with an External Identity Provider

PrithpalJoelNandan

Feb 28, 2017

We’re excited to announce the general availability of SAML-based single sign-on (SSO) for Apigee Edge for customers managed and hosted by Apigee. Apigee now supports authentication to the Apigee Edge management UI via an external SAML-based identity provider (IdP). This makes it easy for customers to leverage an IdP (ADFS, Okta, Ping, or OneLogin, for example) of their choice, as long as it supports SAML 2.0 to authenticate Apigee Edge users.

Here we’ll describe how we have implemented this feature, how the feature addresses multi-tenancy, and, more importantly, how you can get started.

Why SAML-based SSO?

For many security teams, this feature provides an easy way to secure user authentication behavior on the Edge platform. It also reduces the overhead associated with provisioning new users (such as org admins or developers) and reduces the risk of terminated employees keeping access to the Edge environment post-employment.

In some cases, our customers have enterprise security policies that involve multiple authentication factors or password policies that Apigee Edge doesn’t support. This feature enables customers to seamlessly enforce their own standards and policies during authentication.

Several of our customers have multiple organizations. To implement this feature, we have introduced the concept of a “zone,” which uniquely identifies all the orgs assigned to a particular customer.

Let’s look at a simple interaction flow that leverages this feature:

Apigee users are provided with a new dedicated sub-domain—for example, acme.login.apigee.com

Unauthenticated requests to this link get redirected to the customer identity provider (Okta or Ping, for example)

The user is authenticated via the customer’s identity provider, which generates a SAML 2.0 assertion and redirects the user to Apigee Edge

Apigee Edge, through the Edge SSO, recognizes the authenticated user and logs the user in to the UI

Note that the user must first exist in the customer IdP. Once registered there, an Edge administrator must map the user to a role in the Edge UI.

Get started!

It’s easy. Current customers should open a support ticket requesting this feature. They’ll need to provide a unique zone name, the list of orgs for which they’ll want to enable SSO, their SAML IdP metadata URL, a list of developer portals, and the orgs that are associated with the portals. Once activated, this feature is enabled for all users within an org.

We encourage customers to try this new capability and simplify their Apigee Edge management UI login experience. Please check out the documentation and ask questions and provide feedback on the Apigee Community.